Revision: 17908
http://sourceforge.net/p/edk2/code/17908
Author: niruiyu
Date: 2015-07-10 02:16:42 +0000 (Fri, 10 Jul 2015)
Log Message:
-----------
MdeModulePkg: Fix potential integer overflow issue
In certain rare circumstance, the data passed from outside of SMM may be
invalid resulting the integer overflow. The issue are found by code review.
Contributed-under: TianoCore Contribution Agreement 1.0
Signed-off-by: Ruiyu Ni <[email protected]>
Reviewed-by: Star Zeng <[email protected]>
Modified Paths:
--------------
trunk/edk2/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c
trunk/edk2/MdeModulePkg/Library/SmmLockBoxLib/SmmLockBoxSmmLib.c
Modified:
trunk/edk2/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c
===================================================================
---
trunk/edk2/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c
2015-07-10 02:16:00 UTC (rev 17907)
+++
trunk/edk2/MdeModulePkg/Library/SmmCorePerformanceLib/SmmCorePerformanceLib.c
2015-07-10 02:16:42 UTC (rev 17908)
@@ -482,7 +482,8 @@
EFI_STATUS Status;
SMM_PERF_COMMUNICATE_EX *SmmPerfCommData;
GAUGE_DATA_ENTRY_EX *GaugeEntryExArray;
- UINTN DataSize;
+ UINT64 DataSize;
+ UINTN Index;
GAUGE_DATA_ENTRY_EX *GaugeDataEx;
UINTN NumberOfEntries;
UINTN LogEntryKey;
@@ -521,7 +522,7 @@
NumberOfEntries = SmmPerfCommData->NumberOfEntries;
LogEntryKey = SmmPerfCommData->LogEntryKey;
if (GaugeDataEx == NULL || NumberOfEntries == 0 || LogEntryKey >
mGaugeData->NumberOfEntries ||
- NumberOfEntries > mGaugeData->NumberOfEntries || (LogEntryKey +
NumberOfEntries) > mGaugeData->NumberOfEntries) {
+ NumberOfEntries > mGaugeData->NumberOfEntries || LogEntryKey >
(mGaugeData->NumberOfEntries - NumberOfEntries)) {
Status = EFI_INVALID_PARAMETER;
break;
}
@@ -529,19 +530,22 @@
//
// Sanity check
//
- DataSize = NumberOfEntries * sizeof(GAUGE_DATA_ENTRY_EX);
- if (!SmmIsBufferOutsideSmmValid ((UINTN)GaugeDataEx, DataSize)) {
+ DataSize = MultU64x32 (NumberOfEntries, sizeof(GAUGE_DATA_ENTRY_EX));
+ if (!SmmIsBufferOutsideSmmValid ((UINTN) GaugeDataEx, DataSize)) {
DEBUG ((EFI_D_ERROR, "SmmPerformanceHandlerEx: SMM Performance Data
buffer in SMRAM or overflow!\n"));
Status = EFI_ACCESS_DENIED;
break;
}
GaugeEntryExArray = (GAUGE_DATA_ENTRY_EX *) (mGaugeData + 1);
- CopyMem(
- (UINT8 *) GaugeDataEx,
- (UINT8 *) &GaugeEntryExArray[LogEntryKey],
- DataSize
- );
+
+ for (Index = 0; Index < NumberOfEntries; Index++) {
+ CopyMem (
+ (UINT8 *) &GaugeDataEx[Index],
+ (UINT8 *) &GaugeEntryExArray[LogEntryKey++],
+ sizeof (GAUGE_DATA_ENTRY_EX)
+ );
+ }
Status = EFI_SUCCESS;
break;
@@ -590,7 +594,7 @@
EFI_STATUS Status;
SMM_PERF_COMMUNICATE *SmmPerfCommData;
GAUGE_DATA_ENTRY_EX *GaugeEntryExArray;
- UINTN DataSize;
+ UINT64 DataSize;
UINTN Index;
GAUGE_DATA_ENTRY *GaugeData;
UINTN NumberOfEntries;
@@ -630,7 +634,7 @@
NumberOfEntries = SmmPerfCommData->NumberOfEntries;
LogEntryKey = SmmPerfCommData->LogEntryKey;
if (GaugeData == NULL || NumberOfEntries == 0 || LogEntryKey >
mGaugeData->NumberOfEntries ||
- NumberOfEntries > mGaugeData->NumberOfEntries || (LogEntryKey +
NumberOfEntries) > mGaugeData->NumberOfEntries) {
+ NumberOfEntries > mGaugeData->NumberOfEntries || LogEntryKey >
(mGaugeData->NumberOfEntries - NumberOfEntries)) {
Status = EFI_INVALID_PARAMETER;
break;
}
@@ -638,8 +642,8 @@
//
// Sanity check
//
- DataSize = NumberOfEntries * sizeof(GAUGE_DATA_ENTRY);
- if (!SmmIsBufferOutsideSmmValid ((UINTN)GaugeData, DataSize)) {
+ DataSize = MultU64x32 (NumberOfEntries, sizeof(GAUGE_DATA_ENTRY));
+ if (!SmmIsBufferOutsideSmmValid ((UINTN) GaugeData, DataSize)) {
DEBUG ((EFI_D_ERROR, "SmmPerformanceHandler: SMM Performance Data
buffer in SMRAM or overflow!\n"));
Status = EFI_ACCESS_DENIED;
break;
@@ -648,7 +652,7 @@
GaugeEntryExArray = (GAUGE_DATA_ENTRY_EX *) (mGaugeData + 1);
for (Index = 0; Index < NumberOfEntries; Index++) {
- CopyMem(
+ CopyMem (
(UINT8 *) &GaugeData[Index],
(UINT8 *) &GaugeEntryExArray[LogEntryKey++],
sizeof (GAUGE_DATA_ENTRY)
Modified: trunk/edk2/MdeModulePkg/Library/SmmLockBoxLib/SmmLockBoxSmmLib.c
===================================================================
--- trunk/edk2/MdeModulePkg/Library/SmmLockBoxLib/SmmLockBoxSmmLib.c
2015-07-10 02:16:00 UTC (rev 17907)
+++ trunk/edk2/MdeModulePkg/Library/SmmLockBoxLib/SmmLockBoxSmmLib.c
2015-07-10 02:16:42 UTC (rev 17908)
@@ -1,6 +1,6 @@
/** @file
-Copyright (c) 2010 - 2014, Intel Corporation. All rights reserved.<BR>
+Copyright (c) 2010 - 2015, Intel Corporation. All rights reserved.<BR>
This program and the accompanying materials
are licensed and made available under the terms and conditions
@@ -394,6 +394,7 @@
DEBUG ((EFI_D_INFO, "SmmLockBoxSmmLib UpdateLockBox - Exit (%r)\n",
EFI_BUFFER_TOO_SMALL));
return EFI_BUFFER_TOO_SMALL;
}
+ ASSERT ((UINTN)LockBox->SmramBuffer <= (MAX_ADDRESS - Offset));
CopyMem ((VOID *)((UINTN)LockBox->SmramBuffer + Offset), Buffer, Length);
//
------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
edk2-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/edk2-commits
